On Wed, 15 Jul 2026 15:39:48 +0700 Arnaud Rebillout <[email protected]>
wrote:
> On Thu, 9 Jul 2026 21:34:07 +0300 Michael Tokarev <[email protected]> wrote:
> > I dunno how this prob should be solved properly. But currently,
> > xrdp is unusable with default settings.
>
> I think xrdp *is* usable with default settings, because TLS isn't
> enabled by default.

Ok, so the breakage is a bit more subtle. The default xrdp.ini value for
security_layer is 'negotiate', meaning that if it can't use 'tls', it
falls back to 'rdp'. And so far, as we said, out of the box tls didn't
work, so rdp was used.

However it seems that a recent change in freerdp makes it more strict
with crypto, and so 'rdp' security layer isn't accepted anymore.

This is dicussed upstream:

- https://github.com/neutrinolabs/xrdp/issues/3808

Leading to:

- https://github.com/FreeRDP/FreeRDP/pull/12811

Quoting from the freerdp link above:

> Disable RDP Security in FIPS mode on OpenSSL 3.4+ — The RDP FIPS
encryption method uses 3DES which is no longer approved in the OpenSSL
3.4 FIPS provider. On these versions, RDP Security is disabled so only
NLA/TLS (using AES) is negotiated.

So it seems that the right thing to to is to fix tls support in xrdp.
That could be achieved with this addition in the postinst:

    adduser xrdp ssl-cert

But is it the right thing to do? Can anyone comment on that?

I did a quick search on codesearch.debian.net, found something similar
done in postgresql-common and tryton-server.

Feedback from developers who understand that stuff better than me is
more than welcome!

Thanks,

-- 
Arnaud Rebillout / OffSec / Kali Linux Developer

Reply via email to